Surveillance Possibilities on the ECS
Disclaimer: Your mileage may vary.
[- Seuss, 10/04/00 -]
PBXs invariably offer a rich set of surveillance options to a skilled
eavesdropper, from soft wiretaps to commands that allow bugging rooms through
the handsets. Lucent's enterprise phone systems provide an eavesdropper with
an even greater wealth of possibilities, particularly the Definity ECS. This
article only touches on hostile programming of the switch. NIST
has an excellent report on PBX security that discusses
hardware attacks thoroughly.
- Hostile Features
* Bugging Attacks
You can bug a room through a telephone. Surprise. Typically this will
require some modification to the handset so the phone is never really on hook,
i.e. shorting the hook-switch contacts with a capacitor. Attach an audio
amplifier to the line, and room audio will be heard pretty clearly. On a POTS
line this sort of attack can be countered by either using a handset with a
push to talk button, or connecting a listen-down amplifier to the line and
monitoring it for room audio. On a PBX however a few commands and a flipped
switch can be used to accomplish the same.
Auto answer is a feature used by many people who have their hands
busy, i.e. secretaries and receptionists. After giving a ring or two the phone
will automatically go off-hook. By itself auto-answer is of little
consequence. However it can be coupled with an anti-disturbance feature that
allows callers to mute their phone's ringing. These two features together will
allow for the phone to go off-hook without any warning and allow an
eavesdropper to receive clear room audio. A bit of hardware intervention will
be needed here. To engage auto answer the user will have to move a slide
switch on their phone from ring to auto answer. If long term surveillance is
planned its possible to either replace the existing phone with one that has
the answer selection switch disabled, or to have a rectifier wired into the
line to suppress ringing.
Lucent platforms include a feature that permits only internal calls to be auto
answered, with external calls ringing audibly. Making intercom calls via
remote access will create less suspicion than a station that never ever rang.
* Soft wiretaps
Analog station sets allow any user to pick up an extension and monitor
the content of a call. Due to the more complex signaling used by digital
station sets, just picking up an extension phone will yield very little in the
way of usable eavesdropping data. However there are several features available
on the ECS that allow multiple people to add themselves into a call to a
digital set by simply picking up the receiver.
Call bridging is the most obvious technique for adding oneself to an ongoing
call. Call bridging allows a particular phone to answer (and incidentally
monitor) calls on another extension. This method of eavesdropping is rather
impractical as it allows rings sent to either phone to ring both phones. This
possibility can be reduced by assigning the phone used to eavesdrop an unused
number or VDN, or forwarding all calls to that number. Temporary bridged
appearances, which create a roving bridged appearance are another possibility.
Pickup groups are a feature provided by several manufacturers, in order to
provide for a smaller but more flexible alternative to ACDs. This feature
allows a call to simultaneously ring a group of phones, but allows them all
to enter into the call. Any set in the pickup group can be used to monitor a
call from anyone else in the group. Adding yourself to a pickup group appears
to be a good way to monitor calls from on site. Creating a pickup group will
become very obvious under examination during a switch audit.
The Busy Verification feature allows privileged users to add themselves to
ongoing calls as an additional party. Busy verification isn't as sexy as it
appears, though. Usually there is an alerting tone used in conjunction with
override functions to alert the caller and called parties that another person
has joined the conversation; after the first long tone it will sound off again
every 12 seconds. Verifying a number that's on a multi-line station will
generate a priority call (and an irritating special ring) to any available
line on the station.
The Definity incorporates a special function that will monitor ongoing
conversations without any notification at all. This is called 'service
observation'. Service observation does not include an alerting tone. Service
observation is the most attractive choice for ongoing soft wiretaps, because
it can be easily accessed remotely.
Service observation can best be dealt with via a call vector.
Type: change vector x (make sure x isn't a currently assigned vector) and
press return.
1. wait-time 0 secs hearing ringback
2. collect 4 digits after announcement 9876 (make sure there's an announcement
that works here. Adding more requires adding a module to the switch)
3. route-to digits with coverage n
4. stop
Now create a vector directory number that will route to this vector.
Type: add VDN 1234 and press return
You'll be presented with the Vector Directory Number screen. Assign an
unused extension and an innocuous name. Make sure the associated COR allows
for service observation.
When the VDN is called, the vector will initiate, spout off some meaningless
crap, and wait for the caller to dial an extension. The vector will then
connect the user to the requested extension.
Appendix A: Default ECS Logins
cust
rcust
bcms
browse
NMS